Information Security for the German Military

Article by Major General Jürgen Setzer, Vice Chief of the Cyber and Information Domain Service and Chief Information Security Officer of the Bundeswehr.

Information security is of high priority to Germany’s armed forces, the Bundeswehr. Above all, information security must be guaranteed from a technical point of view, but the “human element” plays an essential role as well. The Chief Information Security Officer of the Bundeswehr (CISOBwChief Information Security Officer) has a wide range of instruments at his disposal that cover the entire spectrum from testing a system before it is actually used to large-scale monitoring and quick "first aid" to raising awareness among Bundeswehr members using innovative methods.

Bundeswehr data availability, integrity and confidentiality must be ensured. This triad of information security is of fundamental importance to the Bundeswehr. This applies even more so, the faster the digital transformation of the Bundeswehr progresses, becoming more and more important to mission accomplishment. In order to achieve goals such as increasing the assertiveness of the armed forces on the digitalized battlefield or enhancing administration, comprehensive and sustainable guarantees from information security are required. This article shows which areas and means the Bundeswehr has at its disposal to implement and verify these guarantees.

The Chief Information Security Officer of the German Armed Forces

In many areas of the economy, the role of the Chief Information Security Officer as the person with overall responsibility for information security has long been an integral part of a modern corporate structure. With the creation of the German Cyber and Information Domain Service Headquarters (CIDS HQHeadquarters) in April 2017, the key role of Bundeswehr Chief Information Security Officer (CISOBwChief Information Security Officer), emerging from the previous function of ITInformationstechnik Security Officer of the Bundeswehr, was implemented and transferred to the Vice Chief, CIDS.

The function of CISOBwChief Information Security Officer consists in monitoring information security in the Bundeswehr. The CISOBwChief Information Security Officer is also responsible for ITInformationstechnik risk management in the Bundeswehr, managing the information security situation for Bundeswehr ITInformationstechnik (also for embedded ITInformationstechnik, i.e. ITInformationstechnik systems that are implemented, for example, in machines and process special applications) and safeguarding military interests in information security across ministries as well as internationally.

In order to be able to master the diversity of tasks, two branches were set up as part of the CIDS HQHeadquarters Security Management subdivision to serve as central control and monitoring elements, with the subdivision’s head being the deputy CISOBwChief Information Security Officer.

An essential role of the CISOBwChief Information Security Officer is to control the entire information security organization of the Bundeswehr, particularly the Bundeswehr Cyber Security Center (BwCyberSecC), and to employ the Bundeswehr Computer Emergency Response Teams (CERTBwComputer Emergency Response Team der Bundeswehr), the BwCyberSecC penetration test teams and Cyber Operations Center (CyberOpsC) red teams. In the field of armaments projects, the CISOBwChief Information Security Officer is supported by the CISOInternational Organization for Standardization for armaments in the Federal Office of Bundeswehr Equipment, Information Technology and In-Service Support (FOBwEITISS), who is the central point of contact for information security regarding FOBwEITISS projects, coordinating the necessary measures across projects and making the relevant information security situation available to the CISOBwChief Information Security Officer.

The increasing use and digitization of building and property technology with a wide range of commercially available, networked sensor and control technology are increasingly presenting a challenge for information security. Like the CISOInternational Organization for Standardization for armaments, a CISOInternational Organization for Standardization for infrastructure will support the CISOBwChief Information Security Officer in the future by adapting infrastructure processes, introducing requirements for information security and assessing the state of affairs.

Bundeswehr Cyber Security Center (BwCyberSecC)

Bundeswehr Cyber Security Operations Center (CSOCBw)
The CSOCBw is subordinated to the BwCyberSecC. It monitors the ITInformationstechnik systems of the Bundeswehr and reacts to ITInformationstechnik security incidents.

CERTBwComputer Emergency Response Team der Bundeswehr – Analyze, Support, Contain
The Bundeswehr Computer Emergency Response Teams (CERTBwComputer Emergency Response Team der Bundeswehr) of the CSOCBw have two main tasks: First, they provide so-called "incident response" capabilities, which ensure that the Bundeswehr can react to information security incidents, such as cyber attacks, worldwide at all times. Secondly, the CERTBwComputer Emergency Response Team der Bundeswehr provide ITInformationstechnik forensics as a capability of the Bundeswehr.
 

Incident response capabilities. Incident response capabilities are ensured by mobile Incident Response Teams (IRTs). They operate worldwide, wherever there are connections to the Bundeswehr ITInformationstechnik network. Owing to high flexibility and prompt availability, it is possible to react to information security incidents on a short notice.

In the event of a serious or technically challenging information security incident affecting the Bundeswehr ITInformationstechnik system, the task of an IRT, which consists of three to four people depending on their mission, is to:

• determine the extent;
• contain the impact;
• identify attack routes and exploited vulnerabilities;
• recognize digital traces on end devices and in network traffic;
• assist in restoring information security;
• secure evidence.

In order to fulfill this task, the IRT staff has extensive technical equipment with sometimes special software and hardware that can also be used for mobile applications. IRT members are well trained, undergoing numerous special courses.

Forensics. The Forensics Section provides specialized skills for the fulfillment of two core tasks. First, the specialists investigate the information security incidents. Secondly, they carry out ITInformationstechnik-forensic investigations for disciplinary and, based on mutual assistance, criminal inquiries as well.

If an in-depth technical analysis is required in the event of an information security incident, the IRT transfers the data and hardware it has backed up to the Forensics Section. This is where technical and often very time-consuming analysis takes place. It should be noted that all results must be produced so that they can be used in court and that any change in evidence must be prevented.

Comprehensive digital search for clues includes the analysis, evaluation and technical assessment of data carriers and storage media and of the communication behavior of the systems. It is important that ITInformationstechnik-forensic standards are adhered to and that evidence and work steps are fully documented. The final, qualified and objective investigation report explains all the technical findings that are relevant to the case and can be used in court.

The section also offers technical advice on criminal and disciplinary proceedings, particularly with regard to information technology data backup, recovery or analysis that can be used in court, and also carries out this as part of mutual assistance.

Situation and Monitoring Center – Monitor, Act, Inform

The Situation and Monitoring Center is another branch of the CSOCBw and, with its preventive and reactive tasks, makes a key contribution to achieving cyber and information security. The Situation and Monitoring Center provides this service on a 24/7 basis, 365 days a year and is the first point of contact for all information security officers of the Bundeswehr.

Monitor. The Situation and Monitoring Center monitors the remedying of security vulnerabilities identified through various preventive measures of the BwCyberSecC to increase the protection of the information technology of the Bundeswehr and provides the technical information security situation picture for the CISOBwChief Information Security Officer.

In addition, it evaluates messages from the safety sensors of the CSOCBw around the clock, analyzes this data and coordinates the fight against detected attacks until the CERTBwComputer Emergency Response Team der Bundeswehr take over further processing.

Act. The Situation and Monitoring Center is primarily responsible for the incident management of identified information security incidents. To this end, it coordinates the structured processing of incidents detected by sensor measurements or reported by ITInformationstechnik security personnel in cooperation with operational managers and the CISOBwChief Information Security Officer. If necessary, further coordination takes place with the CIDS HQHeadquarters Joint Situation Center, the Federal Office for Information Security national ITInformationstechnik situation center and the National Cyber Response Center. This serves to maintain and restore information security in the Bundeswehr and, through the integration of the Federal Office for Information Security and the National Cyber Response Center, is also part of national security provision.

Inform.The CISOBwChief Information Security Officer is responsible for all actions intended to achieve cyber and information security for the Bundeswehr. For this purpose, the Situation and Monitoring Center records all militarily relevant preventive and reactive technical information security findings, evaluates them in a level-appropriate and target-group oriented way and presents them to the CISOBwChief Information Security Officer as a technical information security situation picture in a decision-supporting and operationally usable form.

In addition, the Situation and Monitoring Center operates the technical information system "Meldeportal @ller relevanten Vorgänge zur Informationssicherheit" (M@RVIN) registration portal serving as a coordination and cooperation platform for all information security incidents across organizations.
The described functions underline the central role of the Situation and Monitoring Center for CSOCBw and CISOBwChief Information Security Officer task performance.

Vulnerabilities, Risks and Consequences for Secure Systems

The personnel of the BwCyberSecC Verification and Support Division inspect the information security of all Bundeswehr organizations at regular intervals. There are also experts on vulnerabilities in ITInformationstechnik systems. They conduct two types of tests: vulnerability assessment and penetration testing.

Bundeswehr vulnerability assessment. During technical vulnerability assessment, ITInformationstechnik systems of the Bundeswehr are checked for known technical vulnerabilities and incorrect configurations. Here, on the one hand, overarching aspects such as the architecture of the system or the definition of patch management processes and, on the other hand, the configuration of the individual components and services are checked. This is based on terms from a wide variety of sources, including national standards of the Bundeswehr and the Federal Office for Information Security just as international provisions by the EU and NATO or manufacturer specifications and generally recognized best practices.

The responsible German military security accreditation authority (Deutsche militärische Security Accreditation Authority – DEUmilSAA) can already request a vulnerability assessment from the BwCyberSecC during the accreditation of ITInformationstechnik projects. Major organizational units information security officers and the CISOBwChief Information Security Officer can also initiate a vulnerability assessment. It can be provided for individual organizations or specific ITInformationstechnik systems.

A final report is created as a result of vulnerability assessment. It describes the scope of the test, the vulnerabilities found and the resulting risks. Finally, the client is presented with a recommendation for each finding on how to proceed further with the identified vulnerability in order to increase the security of the system.

Vulnerability assessment personnel undergo highly specific technical training and need continuous advanced training to stay updated with the latest technology. Required training is provided by both the Bundeswehr and civilian educational institutes.

Penetration testing. The vulnerability assessment reveals technical vulnerabilities in ITInformationstechnik systems. The BwCyberSecC in Rheinbach, however, carries out even more in-depth analysis: penetration testing.

In the BwCyberSecC Penetration Testing Branch, highly specialized ITInformationstechnik experts are working on testing the resilience of critical ITInformationstechnik systems of the Bundeswehr against cyber attacks in order to increase the cyber security of the Bundeswehr as a whole in this way. Penetration tests are in-depth technical analyses simulating realistic cyber attacks against critical components or against entire systems using special testing tools. While vulnerability assessment ideally aims at detecting all technical vulnerabilities of a system, a penetration test is particularly about showing the exploitability of existing vulnerabilities.

Penetration tests are generally carried out using the white box approach. Throughout the entire penetration test, close cooperation between the penetration team and the user responsible for the system is essential for successful completion. After completion, the findings gained are used to draw up recommendations for action that are tailored to the tested system and thus to enhance the system’s cyber security over the long term. Owing to risk evaluation carried out, the individual system manager is provided with key information for both short-term improvements and future planning.

The current focus of penetration testing in the Bundeswehr is on weapons and special systems, which is due to advancing digitalization. In addition, command and control information systems, critical ITInformationstechnik projects, ITInformationstechnik services and applications are subject to testing. Furthermore, penetration test specialists are also able to analyze firmware, codes and non-IP based protocols.

In future, penetration testing is already scheduled to take place at an early stage in armament in order to identify critical vulnerabilities during development and enable their remedy before transfer into use.

Red Teaming – From the Point of view of an Attacker

ITInformationstechnik systems of the Bundeswehr in operation are regularly checked for security using red teaming. From the point of view of an attacker, we ask ourselves the question where “we” could cause the greatest possible damage. Where is the Bundeswehr ITInformationstechnik most vulnerable? Once the target is clear, the “in-house” specialists of the CyberOpsC try to find “the best way to gain access into” during ongoing operations. They are facing a real defender. Such attack situations are realistically covert and can extend over a long period of time. They are particularly suitable for finding blind spots in the security architecture.

With the help of this cyber security measure, it is possible to realistically assess the existing attack barrier for a real attacker at “Champions League level”. Beyond that, valuable information is gained about the maturity level of the ITInformationstechnik infrastructure and the processes within the organization.

Differentiation Between Red Teaming, Penetration Testing and Vulnerability Assessment

The table below compares red teaming, penetration testing and vulnerability assessment. The BwCyberSecC carries out penetration tests and vulnerability assessments only. Read teaming is a capability of the CyberOpsC.

Protection and Prevention

Information Security Awareness (InfoSecAwareness). One of the best security measures are well-trained and sensitized users. Attackers exploit various human characteristics such as fear and curiosity as vulnerabilities, for example to gain access to a computer by means of phishing. From the infiltrated computer, the attackers attempt to penetrate the network and then work their way towards the actual target.
Information security officers for every organization. In order to make it more difficult for an attacker to access Bundeswehr ITInformationstechnik, there are standards regarding the configuration of computers and network components as well as rules for users on how to deal with their ITInformationstechnik. In order to increase vigilance against such attacks, it is necessary to raise users’ awareness of ITInformationstechnik security behavior on a regular basis. For this purpose, every organization of the Bundeswehr has an information security officer.

The task of the experts for awareness raising at the BwCyberSecC is to support the information security officers, for example by developing the contents of regular awareness raising further and presenting their products in an illustrative form. Users may also be provided with things to know for private use, thus increasing their interest in the issue of information security. The package of measures is diverse: For example, organizations are advised to stage an Information Security Awareness Day once a year to inform their personnel about the dynamically changing threats in cyberspace and new attack scenarios. To this end, the information security officers are required to enter into active dialogue with the members of their organizations.

One approach to overcome PowerPoint presentations as the only means of presentation and to offer security issues in a more attractive form is the concept of gamification, which aims to convey knowledge with the help of game attributes. The portfolio of gamification tools ranges from simple playing cards to simulation games in which cyber attack and defense scenarios are exercised. Such gamification products, but also up-to-date posters, flyers and thematic presentations are developed in cooperation with the CISD HQHeadquarters InfoSecAwareness Working Group. Members of the Bundeswehr, the Federal Ministry of Defense (FMoDFederal Ministry of Defence) and BWI are represented there. BWI is the central ITInformationstechnik service provider of the Bundeswehr. The Working Group sees itself as a think tank for new awareness products made available to the information security officers of the Bundeswehr on a download portal.

Active awareness raising through phishing campaigns. Personnel in the FMoDFederal Ministry of Defence area of responsibility are regularly the target of phishing e-mails – currently one of the largest gateways for harmful software. Not only may they lead to financial damage, but they may also put the life and limb of soldiers on deployment at risk. Dangers mostly arise from a lack of necessary vigilance and the failure to detect phishing e-mails as such and take appropriate action.

Without repeated training, vigilance among ITInformationstechnik users normally decreases as time goes by. Personal experiences and, in particular, being affected by an ITInformationstechnik security incident create lasting impressions. In the Bundeswehr, this is called "realistic training".

Therefore, the CISOBwChief Information Security Officer is running a sustained phishing awareness campaign, among other things. For example, ITInformationstechnik users are actively sensitized to the handling of e-mails from unknown senders. This does not harm personnel and the Bundeswehr ITInformationstechnik system.

The aim of such campaigns is, by sending bogus phishing e-mails, to increase the awareness of dangers from the cyber and information space and of the threat posed by phishing and spear phishing and to reach ITInformationstechnik users at all command levels.
By reflection on one's own behavior and information on how to spot such “dangerous e-mails”, a sustainable behavioral change and strengthening of the sense of responsibility of Bundeswehr personnel in dealing with e-mails and e-mail attachments is to be ensured.

Conclusion

The information security organization of the Bundeswehr with the CISOBwChief Information Security Officer at its top has a comprehensive and innovative structure, with information security officers for all organizations as well as projects operated as decentralized elements and the BwCyberSecC as the central element. It is thus well positioned to monitor ITInformationstechnik security in the Bundeswehr, to identify technical and organizational vulnerabilities and have them remedied effectively by those responsible.
To ensure that protection against the background of growing threats in cyberspace remains effective, all members of the Bundeswehr whatever their role – whether as ITInformationstechnik users, administrators, troop commanders or project managers – make a contribution by raising their awareness.

by KdoCIR   email